Highlights

Symantec has done a research on app permissions and fraudulent apps

Some of the apps were to request for "risky" permissions

68 fraudulent apps were found on Google Play built 5 developers

While Apple and Google regularly upgrade their respective app store listings to limit malicious apps to some extent, Symantec has highlighted that there are tons of apps that put user privacy at risk. The company through a new research found that there are many apps available on Google Play and Apple App Store that request for permissions or excessive access to user's personal information. Through a couple of blog posts, Symantec has detailed how personal information is gathered through different apps, and how various fraudulent apps on Google Play contain aggressive advertisement.

Symantec, the company behind Norton antivirus, downloaded top 100 free apps from Google Play Store and Apple App Store to analyse how much personal information was the user sharing with the apps, and which smartphone features the apps accessed. It was found that email addresses were the most common piece of personally identifiable information shared with apps. As many as 48 percent of the iOS apps and 44 percent of the Android apps analysed were reportedly sharing email addresses. After email addresses, it was the username that usually users enter on social networking sites or on an app. It was shared with 33 percent of iOS apps and 30 percent of Android apps, out of the total 100 apps analysed. Phone numbers were the also spotted being shared with 12 percent of iOS apps and nine percent of Android apps. Besides, it was the user's address that was shared with four percent of iOS apps and five percent of Android apps.

Importantly, the available stats don't fully account for the entire personal information being shared with apps. Symantec notes that several apps integrate with social media to obtain user data directly from the connected social media account.

Photo Credit: Symantec

It was found that while many apps ask for permissions to access various features on your device, some of them could be used to provide access to data or resources that involve private information of the user or could potentially affect the user data stored on the device or the operation of other devices. Symantec has termed these permissions as "risky permissions".

"Camera access was the most requested common risky permission, with 46 percent of Android apps and 25 percent of iOS apps seeking it. That was closely followed by location tracking, which was sought by 45 percent of Android apps and 25 percent of iOS apps. Twenty-five percent of Android apps requested permission to record audio, while 9 percent of iOS apps did. Finally, 15 percent of Android apps sought permission to read SMS messages and 10 percent sought access to phone call logs. Neither of these permissions is available in iOS," Symantec said in the blog post.

Symantec has additionally found that some apps request for extensive permissions. One such app the company pointed out is the Android horoscope app Zodiac Signs 101 - 12 Zodiac Signs & Astrology that has been downloaded more than a million times. It asks for permissions such as precise user location, access to user's contacts, send and receive SMS messages, receive MMS messages, directly call phone numbers, reroute outgoing calls, access to phone call logs, and access to camera among others. The second such app that the Symantec team analysed was the Android flashlight app Brightest Flashlight LED - Super Bright Torch that has 10 million installs.

"Ultimately, it may be up to the user to ask if these additional features are essential to the function of the app and if it's worth granting permissions for features that only provide marginal benefits," the team wrote.

Apart from the apps asking extensive permissions, Symantec has found four percent of the Android apps and three percent of the iOS apps requesting risky permissions didn't have any privacy policy. It was also discovered that only a minority of apps implement certificate pinning at login, a security precaution to help prevent attackers intercepting any supposedly secure communications. As many as eight percent of Android apps and 11 percent of iOS apps were found to have the absence of any certificate pinning. Furthermore, it was found that some apps that do have privacy policies can still make it cumbersome for users to keep track of what they are consenting to. The complexity increases when it comes to the apps integrating any third-party apps.

"Of the Android apps that require risky permissions, 40 percent have links to third-party apps. Either normal app functionality is interrupted with advertisements or there were links to third-party apps for normal functionality (for example purchase links to seller sites). Meanwhile, 16 percent of the iOS apps that require risky permissions have links to third-party apps," Symantec said.

Users are recommended to read the permissions required for the app and read the privacy policy before proceeding for the installation process. It is important to learn that Android and iOS both platforms offer a way to remove unnecessary permissions by to system settings. In Android, Google has provided a Permissions option that you can find after going to the Settings menu. If you own an iPhone or iPad, you can remove unnecessary permissions by going to Settings and then tapping the Privacy option.

Google and Facebook have also separately provided the distinct ways to see what apps are using your personal data. You can review and edit what third-party apps have access to your Google account by visiting the Permissions section from the My Account section. Similarly, Facebook has provided the Apps & Websites section in the Settings menu to help you discover and edit the permissions used by each third-party apps.

In addition to apps with risky and extension permissions, Symantec has found that as many as 68 fraudulent apps on Google Play built by five different developers contain aggressive advertisements. It is alleged that there are huge discrepancies between the app content and their description as well as title. "After users install the apps, they are subjected to a series of guided screens, with advertisements popping up at every single Next button pressed. However, despite the detailed descriptions for the apps, they provide none of the described functionalities," the company said in a separate blog post.

Notably, the installation count of the fraudulent apps spotted by Symantec ranges from 50 to 50,000. These apps promise to unlock SIM cards or transform your device into a wireless mouse. Also, some apps were found to be named after popular games and movies, such as Far Cry and 13 Reasons Why to persuade users to install them. Instead of showing any legitimate content, the apps include only an image that looks similar to their Google Play listing and aggressive advertisement pop-ups.

Symantec recommends users to keep their devices up-to-date with the latest software and don't download apps from any unfamiliar sites. Users are also advised to make frequent backups of their important data and install apps only from trusted sources.